Home
Attack
Dataset
Contact Us
Attack
2024 01
T1-24–01–S–N–CL
T2-24–01–S–N–CL
T3-24–01–S–N–CL
T4-24–01–S–E–M
T5-24–01–S–E–LM
T6-24–01–S–E–FH
T7-24–01–M–NE–CLM
T8-24–01–M–NE–CFHL
T9-24–01–M–NE–CLM
2024 02
T1-24–02–S–N–CIKM
T2-24–02–S–N–CL
T3-24–02–S–N–CL
T4-24-02-S-E-M
T5-24-02-S-E-DL
T6-24-02-S-E-DEGN
T7-24-02-M-NE-CDEGLN
T8-24-02-M-NE-CDL
T9-24-02-M-NE-CLH
Dataset
Contact Us
T2-24–01–S–N–CL
SMBGhost (CVE-2020-0796)
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Remote Code Execution Vulnerability'.
This vulnerability may affect all users with SMB enabled in Microsoft Windows 10 versions 1903 and 1909 and Windows Server versions 1903 and 1909. To avoid this, disable SMB compression and block port 445.
OS
IP
Software
Log collection
time
Program
runtime
Attacker
Windows 11
192.168.56.1
-
112 sec
140 sec
Victim
Windows 10(1903)
192.168.56.113
SMB
Installing
python3 -m pip install -r requirements.txt
Using
※ The instability of POC may cause intermittent remote connection fail.
python3 run.py
MITRE ATT&CK Framework
Attack Tactic
Reconnaissance
Resource Development
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential
Discovery
Lateral Movement
Collection
Command and Control
Exfiltration
Impact
Logs
./log/2024_01_T2_{time}.pcap # YYmmdd_HHMMSS
References
[1]
NIST [CVE-2020-0796]
[2]
ZecOps [CVE-2020-0796 Remote Code Execution POC]
※ Click on the attack name to see a description and scenario for the attack
2024 01
T1-24–01–S–N–CL
T2-24–01–S–N–CL
T3-24–01–S–N–CL
T4-24–01–S–E–M
T5-24–01–S–E–LM
T6-24–01–S–E–FH
T7-24–01–M–NE–CLM
T8-24–01–M–NE–CFHL
T9-24–01–M–NE–CLM
Copyright(C) 2024, KAIST Cyber Security Reserch Center. All Rights Reserved.
